Updating Oauth Scope Issue

Wils
New Member
5 0 0

Hi everyone,

 I'm recently started to develop a public app for Shopify but currently facing some OAuth issue particularly updating scopes/permissions. Note: I am using ruby on rails and shopify_app gems. In my custom controller inherited by ShopifyApp::AuthenticatedController what I'm trying to achieve here is to update scope based on params being parsed in e.g "write_products,write_customers"

      def create
        ShopifyAPI::Session.setup(api_key: ENV['SHOPIFY_API_KEY'], secret: ENV['SHOPIFY_API_SECRET'])
        shopify_session = ShopifyAPI::Session.new(
          domain: current_shop.shopify_domain, api_version: '2020-07', token: nil
        )
        scope = params[:permission_scopes]
        nonce = SecureRandom.hex(10)
        Rails.cache.write("scope_permissions", scope)
        permission_url = shopify_session.create_permission_url(
          [scope], "https://#{ENV['APP_BASE_URL']}/auth/shopify/callback", { state: nonce }
        )
        session['shopify.oauth.scope'] = scope
        redirect_to(permission_url)
      end

After being redirected and click update access scope/permission, Shopify returns a callback e.g

Started GET "/auth/shopify/callback?code=1b23d68f6c29d729d5ba2164c7748527&hmac=116d887dc26522ef868f09b94bbf00c97ea52030909426e7fb28bbcb890ccb12&shop=MY_EXAMPLE_SHOP.myshopify.com&state=de1904c3da862a40c4c8&timestamp=1595487017" for 127.0.0.1 at 2020-07-23 14:50:17 +0800

However, I tried the following solutions in the lambda https://github.com/Shopify/omniauth-shopify-oauth2/issues/60#issuecomment-313731454  .

# config/initializer/omniauth.rb

# frozen_string_literal: true
Rails.application.config.middleware.use(OmniAuth::Builder) do

provider :shopify,
  ShopifyApp.configuration.api_key,
  ShopifyApp.configuration.secret,
  setup: lambda { |env|
    strategy = env['omniauth.strategy']

    shopify_auth_params = strategy.session['shopify.omniauth_params']&.with_indifferent_access
    shop = if shopify_auth_params.present?
      "https://#{shopify_auth_params[:shop]}"
    else
      ''
    end

    strategy.options[:client_options][:site] = shop
    strategy.options[:old_client_secret] = ShopifyApp.configuration.old_secret
    strategy.options[:per_user_permissions] = strategy.session[:user_tokens]
    strategy.options[:scope] = strategy.session['shopify.oauth.scope']
    strategy.session['omniauth.state'] = strategy.request.params['state']
  }
end

I byebuged strategy.session['shopify.oauth.scope'] and it results to nil. End results of the error is 

invalid_scope | Scope does not match, it may have been tampered with.

Any help or hints provided will be greatly appreciated. Thanks for reading.

0 Likes